bf1d420a0d0b2630bddefe9fce8e02c510dbfb3d2fd9360a2ec2ee5c23de8c65

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_4aa0c664911e8b9b98a3f6aa683609f5_ryuk.exe
Size

1.0MB
MD5

4aa0c664911e8b9b98a3f6aa683609f5
SHA1

9750315adb6db059968ea8a69938642f2d1e630d
SHA256

bf1d420a0d0b2630bddefe9fce8e02c510dbfb3d2fd9360a2ec2ee5c23de8c65
SHA512

79f7390b99f0bb054f1fdd760b1bdcd78fd42701dde9bf025e7bd04048e6d96fd51ce861a127387a2f43b0a34d5d14e19b6d1bb4158d64eb2d7eb9896b5c5393
SSDEEP

24576:m6V6gC/AyqGizWCaFbywCks7WE9F5pwg8zmdqQjC60jiHkU:m6cSGizWCaFbvCks7R9L58UqFJjskU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3348	alg.exe
4148	elevation_service.exe
984	elevation_service.exe
3340	maintenanceservice.exe
2392	OSE.EXE
3280	DiagnosticsHub.StandardCollector.Service.exe
2732	fxssvc.exe
4696	msdtc.exe
4340	PerceptionSimulationService.exe
3652	perfhost.exe
4252	locator.exe
2004	SensorDataService.exe
5024	snmptrap.exe
4908	spectrum.exe
1548	ssh-agent.exe
416	TieringEngineService.exe
4792	AgentService.exe
4748	vds.exe
2720	vssvc.exe
5016	wbengine.exe
4212	WmiApSrv.exe
4344	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_4aa0c664911e8b9b98a3f6aa683609f5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9e8dc99492be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffdc231bd4aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000233d451bd4aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da2b131bd4aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b178401bd4aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008984ee1bd4aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015c3ab1bd4aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015c3ab1bd4aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4148	elevation_service.exe
4148	elevation_service.exe
4148	elevation_service.exe
4148	elevation_service.exe
4148	elevation_service.exe
4148	elevation_service.exe
4148	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	948	2024-05-25_4aa0c664911e8b9b98a3f6aa683609f5_ryuk.exe
Token: SeDebugPrivilege	3348	alg.exe
Token: SeDebugPrivilege	3348	alg.exe
Token: SeDebugPrivilege	3348	alg.exe
Token: SeTakeOwnershipPrivilege	4148	elevation_service.exe
Token: SeAuditPrivilege	2732	fxssvc.exe
Token: SeRestorePrivilege	416	TieringEngineService.exe
Token: SeManageVolumePrivilege	416	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4792	AgentService.exe
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe
Token: SeBackupPrivilege	5016	wbengine.exe
Token: SeRestorePrivilege	5016	wbengine.exe
Token: SeSecurityPrivilege	5016	wbengine.exe
Token: 33	4344	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4344	SearchIndexer.exe
Token: SeDebugPrivilege	4148	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4392	4344	SearchIndexer.exe	124
PID 4344 wrote to memory of 4392	4344	SearchIndexer.exe	124
PID 4344 wrote to memory of 2128	4344	SearchIndexer.exe	125
PID 4344 wrote to memory of 2128	4344	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_4aa0c664911e8b9b98a3f6aa683609f5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_4aa0c664911e8b9b98a3f6aa683609f5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3340

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2392

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2140

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4696

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2004

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4908

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5072

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
21c1437271f32a7ebadf831aab48c755

SHA1
6ade97b3c1af5603c71c3d02118e04e2730d2c7c

SHA256
6a1f72f1e67892116153219b8ffc3d25612c9f9e9bb03a9838bc1626426cf5ce

SHA512
5da90c8e793a7b76c9f572a88cfefb90523c5b70b3c703e9a820c9de3ff908e3ff2525a537d9b01f178d6fb58593e44df2e975f5872108d370b9439851c6c021

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9139175d7218a33639be824bd46697dd

SHA1
55057723f28677d450f79f82b5547cdada32e21e

SHA256
31758af31e37b4b6ae4ecb57da602f3db91ed0b65b56af063a56423af0478426

SHA512
8c6e5e4db3e81cb13b3804ad1408a73cf5e2bceac1446ec8f8b665cadec0bc3e0199e7fa7294d4402a881ceb1b869a47bf96bc93fe893f05475e0cbe152f4386

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4919516b3327445ffa0e028cd6b13a8e

SHA1
6039de67a5ecb04013efdf937145769133fa4227

SHA256
c74e0cc9a94b786bbf1a6695db0cb298c8a62e3414b50e0f52e89e5bd1994933

SHA512
1ef51b75a10e5999550a9069cec3f3b97707d4c233d00aff0c98240b5a79b6dbe8ed13c2285aac7b9fbcc9f1db87a0d0750e000b74f816ca0d086cee1961b163

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7ffab83b577e50fccac06a468404afcf

SHA1
5a1ffafd57a3ffc413b4033ce11933f24b6179ef

SHA256
24198fd558d22fc4646930dc9705ab6896f1a9b6acdc31d187a9a16ffc1764e1

SHA512
956c45c3c850c146ad772613fc6935c9ac0ee7ac3de30ee6d762aea07a2f295e1070c9d083cbc38e615398705b43db2f7bdfafa916f1bbff8c9135f5de348a01

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d0b1206d1372d86a8c239091c32c8055

SHA1
91e91c77a4c9442437be9b8531a039f24eda07b7

SHA256
949956bb0c41c09600575eea52882eea70969ab2daf8ecd9f6c4388f3ddccdc9

SHA512
2ba6ae1ba29ad17512b669b4c07d4eec90143d8888c34f7cf593f52f749e6ed5a307a43ec5f47092afff7d4da118b5f2c87ffb38baca3970673b2bc8af1e24d0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1cf48eb0440251a8d8e0cfa932813e81

SHA1
30ce2508bc56f9e2975e354c8758438d6a73e738

SHA256
0ac14255561732a7ba0d9517ac03ea3d82693d23994cb4ef3596d286848ab175

SHA512
ec7d0d4f7c045ff1316289a48a0ad52ea1bab47ca9b8b412accaaf58e63ddbcf93a3d122a3520cd9f203c62a232f2e183026237c4ffab92e24e9900eed45de8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f83ad313e31aeecc56f804152e32ef85

SHA1
ee4d4a876c0c21df8799b6514d9d5b671fd5f993

SHA256
f9e9c18766475351a2b71badeecd8c678f7d6fe10f5af49975fc3e239ca4b8d5

SHA512
f7a08aafe267a3ee58997c605e637b8fa75396138a03b2e719045fed14c4c66be2e1cbff449751c21f83cd6981275a72c446ee899f60e9c41b3305b31b74f478

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1c9e28268176918cf2aabf5fecb35207

SHA1
3d10fb2b8637553f4ee2749332a47bae38895c6b

SHA256
7f14f35e311d5f149336c85c58e66292da7565c1dfae1f717d495bf3183fae58

SHA512
789ac32815ecd7237140ee565dd82060b6b8b5d84f3b65676167f88165882cff11ef93d459b29d867d9a9bb8dbf0462396c0b7072c2bc01dd72c97d0603dc224

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
47101d8db32faa48e63db47f3b477405

SHA1
b3edfe31bff5885bb8c87a656674d9c6dd51cc66

SHA256
888dfaeb4c235f022e5f3275a6a95fa0b1c07ffcafb49573acc5dd939944c077

SHA512
5461a165d71635f6f57295c1adf610a72f327419dbcab5a4664c97151bf8d8a966f63a8d7a029e1606ce22e90e476f4c88e7f0c7460c1eba68a57734cf3a4614

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ba063afcfd765e6e0621189c25ac4f20

SHA1
c38640fb45f82ac516905d384dc531b95a87b5f5

SHA256
e23266f49062bb5dba3583cd75aef83242bc0380e629a8ed1e1e732fff954a09

SHA512
b2883e259822c6bc6eecde6f970d719425578d5b3b9e2c41cb9454a5a9cadd391a1b535335158c6432b5533847c382dab154b6630ff053617d4da245d851439b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8fb7743c8f25b784401fe095ac3a057e

SHA1
cb7cdc162ef4129f948f7718fe1d08f7959175af

SHA256
dc95a55e238b545fe2d36c1244ae25183861b69f1851c8af34725534155c23ca

SHA512
0ee128d308a30f7a1d4dc2ec6ef8c4cbf817a7f671a9ccd0146f1bd7cffc082ae99b0156908b736b5b4208699ffee499a78388a84d8ae124eaf63db4176f5b69

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
25a9564eac8128a853e3e4deb20d8bad

SHA1
c11c363145a56fd4bcc35a843891879846eea28c

SHA256
0bb672cacc2777647b9b830d5745c43f00336ceaaffc7382561a5764fed3e8da

SHA512
ba03c09d14078ebec695c72bd3a3fef57655f494889f3e2432007c4b169d8d741345791e9d2132f67f6a2b3ad470cbdc30215dd5df0cc152a4ea3df4aaa4a4f1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4ba5a197b804f5ca80849f3ec1bd7e07

SHA1
a342b8b8555d89ecb0905cb001e3079d542f1c76

SHA256
cdc7d0af1413fcf25472b3fd3baae19cfdb6b298b76e1ad47b7ea45447f3a181

SHA512
9ab540c69733b92ee1402fcc02ede9fef6c5610d6727b2a27b93ea0a41ebeb427cfb7cc5e52dcfff36cfbc9691b650aac73b302e9470c4c552c579eb28ffa43d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b033ec7989df7bd3d22371c33842311a

SHA1
e54264544bd25320e1d3bc58470f060d889b1026

SHA256
46c899173454d945e5c7011f70841d81011c0dfff15046c04994dcfbcba32375

SHA512
aa1ce515756190660cf06cc4b22a58afb28770fe696ff6e6f39cd75b738d9b84fa6beca69bb079fe826f83fcd1fbd0267c4d21b0ccc2046f6e7e7361faef04df

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7388d45192d1eaa8199a867b316f423d

SHA1
56e7f02898a20473de2b3f1384cb262928433893

SHA256
97ea30ce2c77744c25574df95d1c05fbbc12dfaef2e1031f09ca9cec7168f0b7

SHA512
e77f3ce6c0a947c63ec821f169f34b5267521e31d7a0ba86c47411a34c363d75be0db66cf8adfc07592b389ac6fc8d16672195a232e229c1c52ed023c9823b9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
951a9e3acdb79be3f9e7929f9442577f

SHA1
5013642032d1be1ac11f16c314058e642c9c9587

SHA256
04c033a9a0202f994c444a35f2082703969c65572fb956d4e54e603c2c466b60

SHA512
490f820c1ab68a692c7fbe0221271721e7fed828477835e523f91f56297b4691bec63caf40597edefa1cb5dbf83b4f5d6d743ede6d0edcc9db331b547924258f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1742a16004810d20006f9926517f8787

SHA1
6bb0bed11ff0aa2ee706cb154a2a5d9f3e4ad02d

SHA256
8934bdcf6d84fbe60b30bfe35dbcfb9a7220e6c7c6f51a6437392248e66d12f0

SHA512
223abf414b4906a00c0ca7a604a39cd60af74fbb77611edbd618d539bd2782f70457e91ee282d75ce16730eff3a4cf1423f5fbca46ad97e475266721a64c5672

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
081baeb7b568a29316fc94a23ec63956

SHA1
e66542441992602d0c5af665834aa41e56ff1839

SHA256
a7933366f5a76f214ddb9c5db1484425f9a116d22b02cb42f98281b211629ee5

SHA512
4875d6a0c97820f6480ef3a1f3a48790389edf1bdc33df381790921996acab9de199e370d5b8be6bcf0063c481b594893e321b99b6ad42dec0899154a8827838

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
41bcbd8e02d540d7d6a7ab3e605ea531

SHA1
6a9d64a8c3d034bd40f73a91bfc225b53b3acd1b

SHA256
7e185de42bdcd5fc9b66dcb761d5771fb7405079704bae69a169ebc8e383d036

SHA512
bcdd072423fc6852b01660c1b696e18ff9248df62b23febe29664f285fd7403845137d7e098382e76afcade5d120d92bdd434f8fe88735b97037370fc59c0a33

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
64092e3a66a7c480a7e1d7c4fe44e3f3

SHA1
f70f1e872b1452879a72afab173c89ab2fab3880

SHA256
ad77f85aad4f93777d1010ee6c102c99461e1a78b4266a495aaa0105c1b2f8bf

SHA512
b1b24cfab0cd5f4efb3d123d3af81b6245823024d5eeca0df86053be8ea8aa041e97409441c5f141cd24816cd4545a7cd7d7c1ff9a66fe75152f85ae62ce50cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2a6c616e0076cc47361a7f07ab0f4108

SHA1
fad429426a2d4573680c7b9a8f04ec78fb9bfef1

SHA256
05a4956b02fc74a5405fc4a22ce7b205bec66353feb6a4062fc143cf64e57f69

SHA512
2d6c18588c9874109f047a82ec83bf4cf4850702f7c47e073ab5f19bb315c56eb7b7f8a2e539eb6850f712e92397716252479813d9ac07a8e47625ff68766f05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5533c16953978b7fcb8f814f9e1ab250

SHA1
538a50ebd0a94152412ae361cbbe185f58a6adc7

SHA256
b77e9f1c37195b9ba9bec4ffcc1f9bc68f88da313010bafd239e861fb03c7a09

SHA512
4c19c9344e916454c36b610d7685bd4c3f02d734564c1fa3991daceeeaff1a6e110ff606e89800ecf921b38cc9aff2de0bfd51abaf513f2a5e04a380a073fbb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0f321926ce5ddf65d8f04cca8091e700

SHA1
33b370182e3d65eff3041872b01cb79b032257ad

SHA256
040114b85ca86780e872fad7026b0d0b0db29e3e2a08ef784ab0b44fea49d289

SHA512
b931953a708ba75dbe3f28e846662a546703b554784fc84241bc1d5a8ee4ce280221446a0d43f8feabc9119561c8f9795e02b5ee11053d8afc8b1959e2a3d4ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a414500eaa5e9d0f58c850403e9886a2

SHA1
8e0a36d57c9d856e26c6ac299c1322dd17789eb4

SHA256
0ff35d4bcece4aa6b747a0935dc86818f9be942cb0393b11d1a952598ef3caf5

SHA512
8f8d5c043e34e655461bc3eba120604bebd1ad32d7f7e9be6e4fa0442230bf1975803ebe085b53368ecadb037e5743aaa7fc8cd1c952d1260f086b774788f363

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
208a9cf4d5f866013f84b7f4663454ac

SHA1
e8eb75d1959602c904a3f1ba0a1cbdaa928e6f25

SHA256
b76ff69670c2e3a8b26c96975c3e9f861b4e268bc70acc26fdd1f8772ce24b36

SHA512
04b557d2dc5e16ee196fca222e9f82837f5c43fbb335998ea42bedf1752d4eeaa100761a326fabc5fc7e8d64c4e30b04a7b98faf1b9dfb5d7cc052951c603c36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
268b4e033c07d0b7ebdf67ea18ac6ac6

SHA1
c455290c26364fdd1a7c3483ce470f0f6f406226

SHA256
4981ef316bcf52956b6048c22e9e2676c2a034799d41c09dcbc9ecad16a8f9d3

SHA512
64348a5810bffdac7275ddf9e70708926acd5e235c2c40952b870d430f0d5c74fd03224f688f6053833d823d0bed5ab08c5e461f64150fb730f487768f192fb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ef4b66ba8350534ee3c56633fe16e426

SHA1
7158ca838d3123a15dccfcce7d14e8aa0be13310

SHA256
b9cef3cc609ee1106291dce3b78504ef485b99f7c8237a0b233a48fc4b8e659d

SHA512
26447c46ea2d21958088293bcdcbdaca94e9bc98a769688ba0aa9cd18220f6ef549a6242e11bd83817db8737c71744a0645adc256b52b3256e71cccbaa42274d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
07b59bea3f2d550131ec8198eb3f5cbe

SHA1
1fe99e65a39af06028a5919e212cad35497c51b5

SHA256
8f1a0c22d872bf0e130a164885c75d6eb1b5ae87b9518457f1346c879d94bfaf

SHA512
a38297c83c282917123a3132696de3d9795034074916393c3e00186e9c6d9e141d688862f97ddd3616fdef7f683d37efb48805d73987f25a211a84fe9ddabf77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a508d04b20a55e82a60cb3c07aaf810c

SHA1
0efb1e0c4a6de85af1ed980fa1cb4da10fe84c42

SHA256
85f896cc0e225add936635b255330561b140729aa7af1a3c8ef50906938358b5

SHA512
e7313c6eb6ae2f9a66524d5b6414b7a21d1d724fa01c3cccc5e29fee8a32dd3fe99a3a524e8af09165044d9659d94af7188b3f8181257fce7049603d4c1577e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3dbb8ce49b588945b6726ad83939fc05

SHA1
e21ede3f93a2fa9359f3bece82d953aca10dc67e

SHA256
040732718ddc102a42026250f9afc1b41cb28437490436e0b13d1eab2be3f7c3

SHA512
402a59edc00ab4031e399268b706972aa14f1864808828c82e2b57ee0380a4111b26e811aa38e8617089033cde7e793fd01d532614ef9bedc64ea1b13e2d4492

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b0022f230fc93bcb6e4fba018fe66b0b

SHA1
7c901cb2ab90e92b3d15587b9e2740e225b58d20

SHA256
2dcd4fc4d435dae37007a4981378f2b68a31ec0c2d1b7b6249dd8697da5f5cb9

SHA512
16a195f7c3012883143e99f2a88d6602e3611508cc227ab98ac4c295da317861402284e31cf83b6b7cc92f282e0dee8d8aa18acb6f5c2a15e4fe7dfad17b59d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
5347e12011390c5e4e59906994eb9a22

SHA1
f8294fb4863827ca11d513aba5eadc63289ecffc

SHA256
7d6ab115ecac5af68f5b19734e1f82762516b6b18a7cd083c861998085458c69

SHA512
0f4ad1180f31ea147ab9eb1381e2e7e8f3eddf25050097998bb14417c4eae9be8bb2e0c7dfd829c41b363258e2c0cab803decfc51c2330c72cf26950e4aa83f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1bb4f5f356dc3573f2740f5d4d5d9271

SHA1
df4aa47ae414bb28757103fb86d7ea7933bb1340

SHA256
fccf5fab19a58d9c7b58824647f3a202c75385d0de154e5ed6faeb5c96b40671

SHA512
b1eb080d692f095196d0c9b2d555e1708fb37c87f420a791ee25dc70cbd4e1771c2058a35fe3984cfaac08d24b09c68a2b856318ebb47eeda154b494c302b198

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a241ec6a09df1a7c5109e6abaa8529e0

SHA1
a5bb7a5bfc4606674c647396e5ccd8bf6ff18029

SHA256
afcd9c24c03555e8cde0b8c6d091ae2256ce73103c711c5fcbe7aa04e61cff08

SHA512
5fce5f0a3e6b841b7d7ba2c3f30882c721074572e14f9e581390f8b6342b09a68aedebeb29afcfb90b6950e2d14988df8251e034ccbdeb09d622187aa1aed363

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c9afd592b82cecccd094bcf1ffe49ffb

SHA1
ecfc44abd34bb5998cc19a63982305b8d5ea8e5b

SHA256
26870c6d5074a1d599d874e1b6c16417a36ca32a040632546a3a98f5075dc12e

SHA512
6ed9bfac90e3759459d25afdff06f80e5eeebd6949e308f3d5df3720bdd53ec81f545875d55f21a727b2a8c79c44bd49515ec370e62666f42fe61aebf8a93574

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
02e76f8415937583598d8bf39de1c476

SHA1
fbae1862583fb1737192b1d50b4e78483b237d40

SHA256
09777b7207b9a1fc53e3a69eacdcdc012a9653e6a2f9b4964805cc83bbb00eec

SHA512
25f5d061081dc70faa95834ca3b02449fda33ee2d58714c8cb267e1d315c8491433599b0387a99a372789509fc417b8fd0454a148d3905fcfaf85e9aca00c91d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
52da3898492c0e65b21412862aeebfd9

SHA1
846e8bebc646924487e7d9e6bf064f7746863a42

SHA256
0ba5397eab809d778f1f66bcc0052242c6b6e6e36cfeb38743ba70d1492c560d

SHA512
1959cff52ff15f03a88db471c75fe3f7676bc14e6ab7e32f8eb0a6e9d804d900fd373397ed9167c5f1a075412752394d0fe312137276cc1273277a0c932d477a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
a0b430a24da79d3d07ac66fd65882075

SHA1
84c8212572ffe38601415e7750cffb00be266184

SHA256
d9e51bf02b20b3ae105fdd825693ba7aacdf046420e35830c5aeb0ad28855045

SHA512
1d08f8d731a4b1c47fc18980b8a8de6e714643cb0bc6a155ef9c33af0b7cb69a7f2e085f61a34bd58da94057522c7c5c8fd0ee494db7f6e0a0fb05064a3dc86a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
335704b8de53a0dc93481f081a0bdfba

SHA1
c6835d2faebb96ce3c45790627d0b278fa100287

SHA256
e70c7f6cf41ca7bf6bf97d0d27862bc52f1150b8c6da0dce2d6fb9c59f3a4f54

SHA512
3d3b657396ec1397f72bc501de927e6830851c2dedffe542aa282ac7efc92e9ce8607de23ff3beac8c26a795d4cc78ff20e09af1664cd6b98b135110acbc4a7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
75b07ed18b896bb209b3d2ab20dbe4bb

SHA1
69e1a4fa253982f9176312db1001188306f5f889

SHA256
69b9ea93faafaa1da1499a887e686614d4a8d58d0da7bfdae8c4e688850e2189

SHA512
b4e40988a020e4a008631f4aeb89ff0c1ef563686df1a1d76023d561324af2031f29faee80b851c8b0f2c2f7a9ddb1b48fa3e783983dc917ed7a29ee14ed99f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
30d55e39a9b246394aeb1ce1eda2c92e

SHA1
b268c07c90e06e3e00dc67d2254c08cdc280fcf4

SHA256
573882e42b277e7082fc10feaa27a9900037773555ad740bda54452e00427565

SHA512
372a958c2032eec647cd9c1e830cfbb147776df69002527505a4a7519a7dcc0c8201ce66fbed89ecc646c2194b4073f1f3cef20985490931a2ef723869e0428a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
b3b263a14489cbed55282e6fb7aa9b6d

SHA1
fcb66623a21b94436bf8c8f2a86b107ccfac529d

SHA256
7ff7965e68c672d517ee264dca41c569f5abee8c9d1fa8e4bb0167bc4c6e5a7d

SHA512
477686e5df64e2bddeb9e582ac4ca6da2df14b08990bb8869900a8c5bd27b20b644900bd480ea0cda9335be18dd779b4b50a0a82b1b8f8c64e73cabf6e572671

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
94a4fdec8db4890750691714da1859be

SHA1
7ff8aa7a005ffee7918a9862c53d7b9e18b81f4f

SHA256
0ab1e6474f5a4c22cc56778fe0841658388ab74cb21912c7526ef3cd2ff802f0

SHA512
b96f8cfbb871fb40c70780a822a7a0c7bd4953f2f4dbbfa4021ba095b67af9c99e73a685533b48d07f0b8e53a5dd6d203a6027145e8d56051df8f3da1ab898ab

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3e2d52bf9e663e4960ba0f26ef04de95

SHA1
4e6055fee487aa9ed8bfda166976a71ee65f34ec

SHA256
f4e9b29b9235762f554de109f4d955ba4f0b2193a141fbc96cb1050884290a4b

SHA512
18c558a689e1fe3bf2b769ece9d8ff632eb701053b8f11941c297dd421d3ea73d9b98630d014e9d4d11fcdb6878391e58efa6861b441b0f9330bfc24c0d3d1e1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e8f99ffdf3760f2675d5b629b974da3f

SHA1
8571b1c6f9fc0013de94c9cba451df8ccfa1d52a

SHA256
14161795a90e5fa0436d23655eb683b2703d6febad4ac15ff892b59a2ee34534

SHA512
aea6ffda316355de2422ef992563759d39899a7588309869b14fbac6ccdf5d29bd95f9bc3f078cff4267c7bab2e04f37980fb3b21f97c57c28b577849e60698b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
347af876da502782af2b968ff64ff228

SHA1
8d556c0a8846a789b15192984aba121a20f7ab1d

SHA256
7a474fe19c3eaf6adff932993523d86412c0f17e97344036bbe63233627d6e87

SHA512
39ad747a52955359c3470cf39ae59447651dfc4eabcba01812f00ebf84a6d6acbdc7c52a8a462b9b9a9d84b4d27a08f956e873f9a939f2dde027c741d2078a91

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
cdb1010b864b1feaef8300c59f03df0a

SHA1
e10d467d1b8a5ac27749171fa2638e82d7303ab9

SHA256
815e3435fc2c641687ae381539803105e881021550f9fc97644b64bfcc2f1e76

SHA512
1db2953466b884b1562fdda826469c4d9af6d944b68e1e12ca417affb7188bebce8bfd53e954507524aac65b6a3b8236f89cdf84ba18542a777d4d31144837de

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3fa40c59284b5bc2b5363192e5ded1f4

SHA1
f34c1642fc043b312d72627951185d062a5c5175

SHA256
663172be963c071ab23d895ddef0eb386e69b4eb30f429278f9db20f23102118

SHA512
b0fed6fba0bf4d94b9db2e17c78f03dc468524911850f2272e71f1c1034fd6f844b3f8c469647d5c563b9337e714f42aa81accda5af3c45c0a5ba5a294673607

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
31b5108f07a0941e3b2f43dcc8084f85

SHA1
5e1bd0b9ba29e0888663ff893faeb7d6ebef25cf

SHA256
5a62e71161103d2b9b3886f39337da4656aa48d1ad07fbff598f25938dbeb339

SHA512
9fa8422b34afb82b865276c756f6d281471d346c8790729f50f802f66c076fff7d906d600c1b986a403ccc41f2af14acad96e3313e3d95ec52eb3d2389a6da8a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
87aee30123b9c5efda29a4575bc683bd

SHA1
c7f4dd6695f2f80bf86e9f58445a43e4152932e9

SHA256
2af32c54d19db28b7c4256cfeb224c9f4ec1ce37fef7ab29d4af378df9b0123b

SHA512
1c543826a3be9bd110e8c6d5be9f5c8fe0293c3880baf796a5387c12cd7c8f06dd728d9b2ea0e057b56e12f7e801f65b71eefd8bef45544157665859d9874129

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b5ec6940a076d27c036513d040e25a1c

SHA1
4dc8823cb6ecd5e7c0b49200e296ed379f080777

SHA256
1635f78898c3d1d3e039712f30c3fb3fe1aa435a6f26d576082f8744a7a62d89

SHA512
69c4dd50a9e5320bf43cff212cf33d1428cf2ee95084523534b49d80f929791b6ce5e86cd4f274b6255ce8b9dfb371b4624417caab14ae595d68ca9555b63b91

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cd48a8101612b10f3fc532fdd538ba29

SHA1
ed26a27105514b7d72b146068c729b4fbeb23ab0

SHA256
0ca02e7461f3bb487e951b8e2e8ae7527057d68cbfab285d710d6821184c712a

SHA512
9fb40b46bb37e0c22cc24a5869eb6d549cfd15faae173b136d383a0479853d1f28dba27348762cd075e8c97bc67c549bd4e00601f5a0f127cba2b12a667974f4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4cd7075462a057f7c5c8464d61a61149

SHA1
71712d210f61b4b7dedb25bc0ab515058c641bd4

SHA256
1cf0bddb570c9155b1aaef194ac84fcec61480e7d8f2b66a3ec8176399b7fb10

SHA512
7812f447ee88c1596ddb47a017e3ac4058c4807705813b3d1a223030527ce33ee91b24d83c031abb3a6c270af5f22df4370ca38db1564612e6830deaac1a322b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
16b20b541334aa11e707fe132c1c6ac4

SHA1
df3916db68ff9e10f90084bbf11efc7f65784b8a

SHA256
84963bfa69a81eb887837f76db45992b7e26350d99ab4f1545b4c5343fea627d

SHA512
b0f4588d2d985531a28c4c6073d3e7649ec54ccc26d628c96945fa60877581a30652fefd5f952d812f5420d1e046dcc3e5b731bf2e2a5955ae497a184eb25845

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9704217dc062e3f810f9da94b54525d0

SHA1
75845bea234129371008bc0f6404a842ca3e94ea

SHA256
df1c19cf5b7e953d466ddd8d7c709a38707f2066d782c16a175f8b7b8e3776d8

SHA512
886753995b62e863e31cf9764423282700a5ff58ae58a2620169d8e2f8ef284573a6f5e12deda984987801c96b3f518908d7f933c32cf8edf5702c89a44468c4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3d1ccb42a7938bebb2648e01f13458a7

SHA1
e686442a93dce909bab6a8cf67beae5fcf910660

SHA256
4279bfb8435cb84f2fe30f0bec35bb03778a86603b8c15d3cdabac3f93f2454c

SHA512
663a11c607908a1f9d3890f42660f6b73f8be432e9fe332ad92194ed165edbba5a7b21dc2bac680c4306ccc32d920a1c64bdd8416feea569d1fcc1b2e69553f0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c5098dab836d4d7001254a3ce65ddc48

SHA1
8b1477b807ce19c3e2526461960c2145ebe4f514

SHA256
3a174aef6cc72b8da3400410a17ffa01b1568b1818f4e9cdb0b31c0d3adc526e

SHA512
8ba5c068249cd9f9c3e441216115f25cf77a3405487b23ee4b1eafb5f493daed75e7973cc2d33b4931b0534217e46895e56bafc13e7cc1a674d39790cb8f12a6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
74ddc466883c951669418b34e2ff9328

SHA1
258b4a55e39df018bf217a9798f735906d5386a7

SHA256
8a80b36bc7c8c77dc9cf4dda97f6ec5f897b10913f613091d35bacc27cda17f3

SHA512
8ca36fdf8103bcab74defa09ecd6fdf874551f7e7aeecb22283836b3b7748ea27427b4cc43c64ad19c3f67dfbe7ff8b061b71674619c83785ed5cba432c380ac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8ac032b5ea0422ecfd18bdac2e28583d

SHA1
a60a874d65c6939f40fed0ee581678460d3855e1

SHA256
6c9d035166c99e10c090f74b8e88b7619fc0337da5036143fc9ce8067d7899f2

SHA512
dcefdc46bc3ca5a9f5f0621a53e12ae8419756d85924f74767d070d88315b813c36bf17056a75febddba1270078733480fc8f39e5a9e2903ca3da155f75a9005

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b1e258ca9f2dcf2c52ced531a095350b

SHA1
e59ddaa997d194ce2630afcf50ee80fc31dfa57d

SHA256
8a749046d45f48f2c5752d0606c446351a86ebfee296d82c3c2d5ed5c0a92ca3

SHA512
6a9b5e79b3188d75a419c5f96d5c0e9a75e5124856aafef2f5bcb4f69736793e917a922ca1a91a361a8755d205af45020e7dffea5f1fd596fc822245fed493cb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fbd5eefd1b1d4efcb351e126c08faf6c

SHA1
787e022b793247226054d3315762dd35bb5c86d1

SHA256
8f44d774f3699e556dd7ecac482858d8a5cafee6e2a59f817eec2d0f5469076a

SHA512
c8ac171627872a7799d2235a94c6a89ea0daea7b893f0dae9b09fcab83c67de4d91dd34aae5e90616fd95b98df9b65d15d7cffb3713cd2aaab3f627d3743fc79

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e8b4c17226cf015c4983858b968bdd74

SHA1
bae0ab40a0313237a57e71b667d48a4972dd746d

SHA256
84fe27e2531248bbe7e79845d84fe8cd38676dddf52c9c70ec32c50490ce46e9

SHA512
8c8a813bbbd9d51e74a4094d7f24d885ff03c1ca6547d39494cc5936e34b61865f1eb2700ccac802075e1ec6298edf8f7ad8e21052feaf8d68be3dfd8ce6311e

Download Submit
memory/416-589-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/416-366-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/948-14-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/948-7-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/948-13-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/948-2-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/948-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/984-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/984-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/984-237-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/984-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1548-346-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1548-588-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2004-587-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2004-440-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2004-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2392-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2392-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2392-69-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2392-75-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2720-593-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2720-396-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2732-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2732-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2732-257-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3280-253-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3280-246-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3280-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3280-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3340-54-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3340-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3340-52-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3340-63-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3340-59-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3348-17-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3348-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3348-16-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3348-235-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3652-297-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3652-407-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4148-28-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4148-37-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4148-236-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4148-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4212-595-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4212-420-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4252-300-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4252-419-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4340-395-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4340-291-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4344-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4344-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4696-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4696-383-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4748-384-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4748-592-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4792-377-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4792-381-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4908-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4908-584-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5016-594-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5016-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5024-332-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download